{"id":6510,"library":"alibabacloud-sts20150401","title":"Alibaba Cloud STS (Security Token Service) SDK","description":"The `alibabacloud-sts20150401` library is the official Alibaba Cloud SDK for interacting with the Security Token Service (STS) API version 2015-04-01. It allows you to issue temporary access credentials for Alibaba Cloud resources, commonly used for granting temporary permissions or cross-account access. The current version is 1.2.0. Like most Alibaba Cloud SDKs, it follows a stable release cadence, with updates primarily for bug fixes or minor enhancements rather than frequent new features.","status":"active","version":"1.2.0","language":"en","source_language":"en","source_url":"https://github.com/aliyun/alibabacloud-python-sdk","tags":["Alibaba Cloud","STS","Security Token Service","Cloud SDK","IAM","Authentication"],"install":[{"cmd":"pip install alibabacloud-sts20150401","lang":"bash","label":"Install STS SDK"}],"dependencies":[{"reason":"Core utility functions for Alibaba Cloud SDKs.","package":"alibabacloud-tea-util","optional":false},{"reason":"Provides base classes and models for OpenAPI configurations.","package":"alibabacloud-tea-openapi","optional":false},{"reason":"Utility for retrieving environment variables, often used for credential management.","package":"alibabacloud-darabonba-env","optional":false}],"imports":[{"symbol":"Client","correct":"from alibabacloud_sts20150401.client import Client as StsClient"},{"note":"The base `Config` class for client initialization comes from `alibabacloud-tea-openapi`, not the service-specific SDK.","wrong":"from alibabacloud_sts20150401.models import Config","symbol":"Config","correct":"from alibabacloud_tea_openapi.models import Config"},{"symbol":"AssumeRoleRequest","correct":"from alibabacloud_sts20150401.models import AssumeRoleRequest"}],"quickstart":{"code":"import os\nfrom alibabacloud_sts20150401.client import Client as StsClient\nfrom alibabacloud_tea_openapi.models import Config\nfrom alibabacloud_sts20150401.models import AssumeRoleRequest\nfrom alibabacloud_tea_util.models import RuntimeOptions\n\n# Ensure environment variables are set for security\naccess_key_id = os.environ.get('ALIBABA_CLOUD_ACCESS_KEY_ID', '')\naccess_key_secret = os.environ.get('ALIBABA_CLOUD_ACCESS_KEY_SECRET', '')\nrole_arn = os.environ.get('ALIBABA_CLOUD_ROLE_ARN', 'acs:ram::xxxxxxxxxxxxxxx:role/YourRoleName')\nrole_session_name = os.environ.get('ALIBABA_CLOUD_ROLE_SESSION_NAME', 'my-sts-session')\n\nif not access_key_id or not access_key_secret:\n    print(\"Error: ALIBABA_CLOUD_ACCESS_KEY_ID and ALIBABA_CLOUD_ACCESS_KEY_SECRET must be set.\")\n    exit(1)\n\n# Configure the client\nconfig = Config(\n    access_key_id=access_key_id,\n    access_key_secret=access_key_secret,\n    # STS is a global service, default endpoint is sts.aliyuncs.com\n    endpoint='sts.aliyuncs.com'\n)\n\n# Create a client instance\ntry:\n    client = StsClient(config)\n    print(\"STS Client initialized successfully.\")\n\n    # Prepare the AssumeRole request\n    assume_role_request = AssumeRoleRequest(\n        role_arn=role_arn,\n        role_session_name=role_session_name,\n        duration_seconds=3600 # Optional: specify duration of token in seconds (default is 3600s)\n    )\n\n    # Create a runtime option, useful for setting timeout or retry policy\n    runtime = RuntimeOptions()\n\n    # Call the AssumeRole API\n    response = client.assume_role_with_options(assume_role_request, runtime)\n\n    # Print the temporary credentials\n    credentials = response.body.credentials\n    print(\"\\nAssumed Role Credentials:\")\n    print(f\"AccessKeyId: {credentials.access_key_id}\")\n    print(f\"AccessKeySecret: {credentials.access_key_secret}\")\n    print(f\"SecurityToken: {credentials.security_token[:10]}...{credentials.security_token[-10:]}\") # Truncate for display\n    print(f\"Expiration: {credentials.expiration}\")\n\nexcept Exception as error:\n    print(f\"An error occurred: {error}\")\n    # In a real application, you'd log the full error or specific details\n    # print(error.args[0].get('Code') if hasattr(error, 'args') and len(error.args) > 0 and isinstance(error.args[0], dict) else error)\n","lang":"python","description":"This quickstart demonstrates how to initialize the STS client and call the `AssumeRole` API to obtain temporary credentials. It retrieves AccessKeyId and SecretKey from environment variables for security best practices and specifies a placeholder Role ARN. Remember to replace `YourRoleName` with your actual RAM Role ARN."},"warnings":[{"fix":"Verify the required API version for your STS operations and install the corresponding `alibabacloud-SERVICEAPIVERSION` package.","message":"Alibaba Cloud SDKs often use `alibabacloud-SERVICEAPIVERSION` for their package names. This `sts20150401` package is specifically for the 2015-04-01 API version. Ensure you are using the correct package for the API version you intend to target, as there might be other STS packages for different versions or older SDK styles (e.g., `aliyun-python-sdk-sts`).","severity":"gotcha","affected_versions":"All versions of alibabacloud-sts20150401"},{"fix":"Always import `Config` from `from alibabacloud_tea_openapi.models import Config`.","message":"The base `Config` object for client initialization (e.g., `Config(access_key_id=..., endpoint=...)`) must be imported from `alibabacloud_tea_openapi.models`, not from `alibabacloud_sts20150401.models` or other service-specific packages. Misimporting `Config` is a common mistake that leads to `AttributeError` or unexpected behavior.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Retrieve credentials from environment variables (`os.environ.get`), Alibaba Cloud credentials file, or integrate with an identity provider. The quickstart example uses environment variables.","message":"Authentication credentials (AccessKeyId and AccessKeySecret) should be managed securely. Hardcoding them directly in your code is strongly discouraged. It's recommended to use environment variables, instance RAM roles, or a secrets management service.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Always set `config.endpoint` to the appropriate service endpoint. For global services like STS, `sts.aliyuncs.com` is common.","message":"Although STS is a global service, explicitly setting the `endpoint` in the `Config` object (e.g., `endpoint='sts.aliyuncs.com'`) is a good practice to prevent potential issues if the default resolution changes or if you need to connect through a specific region's endpoint proxy for network reasons.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-15T00:00:00.000Z","next_check":"2026-07-14T00:00:00.000Z","problems":[{"fix":"Install the package using pip: 'pip install alibabacloud-sts20150401'.","cause":"The 'alibabacloud_sts20150401' package is not installed in the Python environment.","error":"ModuleNotFoundError: No module named 'alibabacloud_sts20150401'"},{"fix":"Use the correct import: 'from alibabacloud_sts20150401.client import Client as Sts20150401Client'.","cause":"Incorrect import statement; 'Sts20150401Client' should be imported from 'alibabacloud_sts20150401.client'.","error":"ImportError: cannot import name 'Sts20150401Client' from 'alibabacloud_sts20150401'"},{"fix":"Import 'AssumeRoleRequest' from the 'models' submodule: 'from alibabacloud_sts20150401 import models as sts_20150401_models'.","cause":"Attempting to access 'AssumeRoleRequest' directly from the 'alibabacloud_sts20150401' module instead of its 'models' submodule.","error":"AttributeError: module 'alibabacloud_sts20150401' has no attribute 'AssumeRoleRequest'"},{"fix":"Verify that your `AccessKeyId` is correct and active in the Alibaba Cloud console. Ensure there are no leading or trailing spaces.","cause":"The AccessKey ID provided for authentication is either incorrect, contains typographical errors, or does not exist in your Alibaba Cloud account.","error":"InvalidAccessKeyId.NotFound: Specified access key is not found."},{"fix":"Grant the `AliyunSTSAssumeRoleAccess` system authorization permission to the RAM user, or modify the trust policy of the target RAM role to allow the calling entity to assume it.","cause":"The RAM user or RAM role attempting to call the `AssumeRole` operation does not have the necessary permissions (e.g., `sts:AssumeRole`) or the target RAM role's trust policy does not allow the calling entity to assume it.","error":"NoPermission: No permission perform sts:AssumeRole on this Role."}]}